Building the Internet's missing identity layer
A new CBOR Web Token (CWT) draft has been published that updates the diagnostic notation for embedded objects in the examples. Thanks to Samuel Erdtman for making these updates. Thanks to Carsten Bormann for reviewing the examples!
This addresses all known issues with the specification. I believe that it is now time to request publication.
The specification is available at:
An HTML-formatted version is also available at:
The W3C Web Authentication working group has published the sixth working draft of the W3C Web Authentication specification. It now can request that the authenticator support user verification – meaning that it can be used as the sole or first authentication factor. It now also uses the standard CBOR COSE_Key key representation [RFC8152]. Like WD-05, implementation and interop testing for WD-06 is planned.
I’m happy to announce that the OAuth working group adopted the JSON Web Token Best Current Practices (JWT BCP) draft that Yaron Sheffer, Dick Hardt, and I had worked on, following discussions at IETF 99 in Prague and on the working group mailing list.
The specification is available at:
An HTML-formatted version is also available at:
The JWT BCP draft has been updated to describe the use of explicit typing of JWTs as one of the ways to prevent confusion among different kinds of JWTs. This is accomplished by including an explicit type for the JWT in the “typ” header parameter. For instance, the Security Event Token (SET) specification now uses the “application/secevent+jwt” content type to explicitly type SETs.
The specification is available at:
An HTML-formatted version is also available at:
The Proof-of-Possession Key Semantics for CBOR Web Tokens (CWTs) specification has been updated to address comments received since its initial publication. Changes were:
Thanks for the feedback received to date!
The specification is available at:
An HTML-formatted version is also available at:
A new version of the Security Event Token (SET) specification has been published containing measures that prevent any possibility of confusion between ID Tokens and SETs. Preventing confusion between SETs, access tokens, and other kinds of JWTs is also covered. Changes were:
application/secevent+jwt media type and defined how to use it for explicit typing of SETs.This draft is intended to provide solutions to the issues that had been discussed in IETF 98 in Chicago and subsequently on the working group mailing list. Thanks for all the great discussions that informed this draft!
The specification is available at:
An HTML-formatted version is also available at:
A new CBOR Web Token (CWT) draft has been published that addresses editorial comments made by Carsten Bormann and Jim Schaad. All changes were editorial in nature.
The specification is available at:
An HTML-formatted version is also available at:
The IESG approved the “Using RSA Algorithms with COSE Messages” specification for publication as an RFC today. A new version was published incorporating the IESG feedback. Thanks to Ben Campbell, Eric Rescorla, and Adam Roach for their review comments. No normative changes were made.
The specification is available at:
An HTML-formatted version is also available at:
The Authentication Method Reference Values specification is now RFC 8176. The abstract describes the specification as:
The
amr(Authentication Methods References) claim is defined and registered in the IANA “JSON Web Token Claims” registry, but no standard Authentication Method Reference values are currently defined. This specification establishes a registry for Authentication Method Reference values and defines an initial set of Authentication Method Reference values.
The specification defines and registers some Authentication Method Reference values such as the following, which are already in use by some Google and Microsoft products and OpenID specifications:
face” — Facial recognitionfpt” — Fingerprinthwk” — Proof-of-possession of a hardware-secured keyotp” — One-time passwordpin” — Personal Identification Numberpwd” — Passwordswk” — Proof-of-possession of a software-secured keysms” — Confirmation using SMSuser” — User presence testwia” — Windows Integrated AuthenticationSee https://www.iana.org/assignments/authentication-method-reference-values/ for the full list of registered values.
Thanks to Caleb Baker, Phil Hunt, Tony Nadalin, and William Denniss, all of whom substantially contributed to the specification. Thanks also to the OAuth working group members, chairs, area directors, and other IETF members who helped refine the specification.
A new version of the “Using RSA Algorithms with COSE Messages” specification has been published that addresses the IETF last call feedback received. Additional security considerations were added and the IANA Considerations instructions were made more precise. Thanks to Roni Even and Steve Kent for their useful reviews!
The specification is available at:
An HTML-formatted version is also available at:
A new CBOR Web Token (CWT) draft has been published that addresses the Working Group Last Call (WGLC) feedback received. Changes were:
Thanks to Samuel Erdtman for doing the majority of the editing for this draft. As always, people are highly encouraged to validate the examples.
The specification is available at:
An HTML-formatted version is also available at:
JSON Web Tokens (JWTs) and the JSON Object Signing and Encryption (JOSE) functions underlying them are now being widely used in diverse sets of applications. During IETF 98 in Chicago, we discussed reports of people implementing and using JOSE and JWTs insecurely, the causes of these problems, and ways to address them. Part of this discussion was an invited JOSE/JWT Security Update presentation that I gave to two working groups, which included links to problem reports and described mitigations. Citing the widespread use of JWTs in new IETF applications, Security Area Director Kathleen Moriarty suggested during these discussions that a Best Current Practices (BCP) document be written for JSON Web Tokens (JWTs).
I’m happy to report that Yaron Sheffer, Dick Hardt, and myself have produced an initial draft of a JWT BCP. Its abstract is:
JSON Web Tokens, also known as JWTs [RFC7519], are URL-safe JSON-based security tokens that contain a set of claims that can be signed and/or encrypted. JWTs are being widely used and deployed as a simple security token format in numerous protocols and applications, both in the area of digital identity, and in other application areas. The goal of this Best Current Practices document is to provide actionable guidance leading to secure implementation and deployment of JWTs.
In Section 2, we describe threats and vulnerabilities. In Section 3, we describe best practices addressing those threats and vulnerabilities. We believe that the best practices in Sections 3.1 through 3.8 are ready to apply today. Section 3.9 (Use Mutually Exclusive Validation Rules for Different Kinds of JWTs) describes several possible best practices on that topic to serve as a starting point for a discussion on which of them we want to recommend under what circumstances.
We invite input from the OAuth Working Group and other interested parties on what best practices for JSON Web Tokens and the JOSE functions underlying them should be. We look forward to hearing your thoughts and working on this specification together.
The specification is available at:
An HTML-formatted version is also available at:
This appeared in the Columbus Dispatch on Tuesday, May 19, 1987 on page B1…
“I didn’t expect to win,” said Sheila Richter of Minneapolis after taking top honors, or dishonors, in an annual bad writing contest that drew more than 10,000 entries. “I knew my entry was dreadful, but I didn’t know it was that dreadful.” Richter, who works at the University of Minnesota, wins a personal computer and “whatever public humiliation may come her way,” said Scott Rice, an English professor at San Jose State University and founder of the Bulwer-Lytton Fiction Contest. Richter’s winning entry reads: “The notes blatted skyward as the sun rose over the Canada geese, feathered rumps mooning the day, webbed appendages frantically pedaling unseen bicycles in their search for sustenance, driven by cruel Nature’s maxim, ‘ya wanna eat, ya gotta work,’ and at last I knew Pittsburgh.”
A slightly updated version of the “Using RSA Algorithms with COSE Messages” specification has been published in preparation for IETF last call. Changes were:
The specification is available at:
An HTML-formatted version is also available at:
I gave two presentations at the 2017 European Identity and Cloud Conference (EIC) on progress we’re making in creating and deploying important new identity and security standards. The presentations were:
(Photo from https://twitter.com/drummondreed/status/862314926433603584)
The W3C Web Authentication working group has published the fifth working draft of the W3C Web Authentication specification. It has a new title that’s more reflective of what it enables: “Web Authentication: An API for accessing Public Key Credentials“. Among other changes, the draft is now aligned with the W3C Credential Management API. Numerous issues were resolved and many improvements in the process of creating this release.
While not a candidate recommendation, this version is informally intended by the working group to be an Implementer’s Draft, which will be used for experimenting with implementations of the API.
With the CBOR Web Token (CWT) specification nearing completion, which provides the CBOR equivalent of JWTs, I thought that it was also time to introduce the CBOR equivalent of RFC 7800, “Proof-of-Possession Key Semantics for JSON Web Tokens (JWTs)”, so that applications using CWTs will have a standard representation for proof-of-possession keys. I know that PoP keys are important to ACE applications, for instance. I therefore took RFC 7800 and produced the CBOR/CWT equivalent of it.
The specification is available at:
An HTML-formatted version is also available at:
A revised CBOR Web Token (CWT) draft has been published that corrects inconsistencies in the examples. Thanks to Jim Schaad for validating the examples and pointing out the inconsistencies and to Samuel Erdtman for fixing them. As before, people are highly encouraged to validate the updated examples.
The specification is available at:
An HTML-formatted version is also available at:
As announced by the OpenID Foundation, the OpenID membership has approved Implementer’s Drafts of the three OpenID Connect logout specifications. That means that developers and deployers can now count on the intellectual property protections that come with being Implementer’s Drafts.
These are the first Implementer’s Drafts of these specifications:
Whereas, this is the fourth Implementer’s Draft of this specification:
Each of these protocols communicate logout requests from OpenID Providers to Relying Parties, but using different mechanisms that are appropriate for different use cases. See the Introduction sections of each of the specifications for descriptions of the mechanisms used and comparisons between them. All the specifications share a common mechanism for communicating logout requests from Relying Parties to OpenID Providers.
As expected, the reviews generated some great feedback on ways to make the specs clearer. I expect the working group to incorporate that feedback in future revisions.
Security area director Stephen Farrell had asked us to make it as clear as possible to people who might be registering new “amr” values that names can identify families of closely-related authentication methods. This is now said right in the IANA Registration Template, so that people who might not have read the spec can’t miss it.
FYI, all the previous IESG DISCUSSes have now been cleared, so hopefully that means this is the last version to be published before the Authentication Method Reference Values specification becomes an RFC.
Thanks again to Stephen for his always-thorough reviews of the specification.
The specification is available at:
An HTML-formatted version is also available at:
Powered by WordPress & Theme by Anders Norén